#1128972 apache2-bin: implicit Main DocumentRoot (/var/www/html) may serve content not declared in active vhost or config

Package:
apache2-bin
Source:
apache2-bin
Description:
Apache HTTP Server (modules and other binary files)
Submitter:
Date:
2026-02-25 07:47:02 UTC
Severity:
normal
#1128972#5
Date:
2026-02-25 07:38:15 UTC
From:
To:
Dear Maintainer,


Description

On Debian-packaged Apache, apachectl -S shows a Main DocumentRoot of /var/www/html even when that path is not defined in the active runtime vhost configuration (sites-enabled) or other configs.
In my setup, direct IP requests (or requests with an unmatched Host header) can fall back to this implicit main context and serve content from /var/www/html, which is not explicitly declared in the active configs.
This is problematic from a security/operations perspective because Apache serves content that is not visible in the active sites-enabled configuration.


Environment

Debian (Debian-packaged Apache)
apache2-bin/oldstable-security,now 2.4.62-1~deb12u2 amd64


Steps to reproduce

Configure Apache with named virtual hosts in sites-enabled, each with explicit DocumentRoot paths (not /var/www/html).
Ensure Debian default site configs (000-default.conf, default-ssl.conf) are not enabled.
Check runtime config:
apachectl -S shows active vhosts from sites-enabled/...
apachectl -S also shows: Main DocumentRoot: "/var/www/html"


Confirm included files:

apachectl -t -D DUMP_INCLUDES
000-default.conf / default-ssl.conf are not included
Confirm no global DocumentRoot /var/www/html in active config:
grep -RIn --perl-regexp '^\s*DocumentRoot\s+' /etc/apache2
only vhost-specific DocumentRoot values are present in sites-enabled
Request the server by IP directly (or with an unmatched Host header), e.g.:
curl http://<server-ip>/


Actual result

Apache may serve content from /var/www/html via the implicit Main DocumentRoot fallback context, even though /var/www/html is not explicitly configured in active sites-enabled vhost files.


Expected result

Apache should not serve content from an implicit package/binary default document root unless it is explicitly configured in the active runtime configuration, or this behavior should be clearly documented and easier to disable.


Additional observations

strings /usr/sbin/apache2 | grep -i "var/www\|htdocs\|document" shows /var/www/html in the binary, suggesting a package/binary-level default/fallback is present.


Notes / mitigation

A local mitigation is to define an explicit catch-all default vhost (deny/empty) as the first vhost on each IP:port (:80, :443), but the implicit fallback behavior is still surprising and not obvious from active vhost config alone.